Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Facebook is now Koobface-free, and security researchers have publicized information about the five perpetrators behind the massive botnet.

Security researchers have publicly unmasked five people they believe are behind Koobface, a botnet that spreads on social-networking sites and directs users to Websites selling fake antivirus and other scams.

Facebook has been fighting the malware for the past year and successfully took one of the command-and-control servers controlling the botnet offline last March, the social-networking site proclaimed Jan. 17 on the Facebook Security blog. Facebook has been Koobface-free for more than nine months, according to the post.

"Facebook Security was able to perform a technical takedown of this 'Command & Control' mothership," the company wrote.

Security companies, Facebook and the Federal Bureau of Investigation have been tracking the gang for at least two years, according to The New York Times. The alleged gang members have been identified as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and Stanislav Avdeiko. They are currently operating out of Russia and are active on various social-networking sites, including checking in at its offices on FourSquare and posting on Twitter.

Further reading

"We've had a picture of one of the guys in a scuba mask on our wall since 2008," said Ryan McGeehan, manager of investigations and incident response at Facebook, told The Times.

Facebook's security team "worked non-stop" to detect the malware, remediate affected users, and identify the responsible parties, Facebook said. The company said it would be sharing the data with the larger security community and law enforcement. "We won't declare victory" until the authors are brought to justice, the company said.

The Koobface Working Group, a team of security researchers from across the industry, had been tracking the group, Graham Cluley, senior technology consultant for Sophos, wrote on the Naked Security blog. A paper had been planned for the Virus Bulletin security conference last year, but the FBI asked the authors to cancel the presentation in order not to interfere with the investigation.

Researchers were able to take advantage of a mistake the Koobface criminals made in the way they configured their Apache Web server and Web statistics tool on the C&C server to identify IP addresses and domains used by the attackers, according to Cluley's detailed writeup of the investigation. Researchers were able to also gain access to back-ups, which helped them find images, phone numbers and nicknames that may be used to identify the attackers.

Various Web searches helped uncover email addresses and nicknames associated with the phone numbers and nicknames as well as accounts on other social-networking sites such as Flickr, Twitter, YouTube and LiveJournal, according to Cluley. While nicknames aren't as good as first and last names, they are usually "life-long" once picked, especially in the criminal underground where no one is using their real identity, Cluley said. "There is a need to distinguish between those that offer reliable cyber-crime services and those who don't," Cluley said.

Cluley said the evidence has been turned over to law-enforcement agencies, but that none of the individuals the team had identified have been charged or found guilty of any crimes.

The criminals allegedly made an estimated $2 million between 2009 and 2010 using Koobface's network of infected computers scattered around the world to infect computers and redirecting users to malicious Websites, according to a 2010 report from the Information Warfare Monitor initiative. The money came from referral fees these sites paid for each visitor who came to their site as well as from users who paid to buy fake antivirus software. Koobface is known for targeting users on various social networks, including MySpace, hi5 and Facebook.